Port Forwarding

thewireguys · August 15, 2010, 8:50pm

Hello everyone I was wondering if someone could point me in the right direction. I am trying learn how to port forward on my RB750G.

Example:
WAN1 = 207.172.60.61/24 Gate = 207.172.60.1
LAN = 192.168.1.1/24
SERVER = 192.168.1.25 TCP and UDP 80 and 22610

Thank you very much in advance.

fewi · August 15, 2010, 9:00pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping

Port mapping
If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

This rule translates to: when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234

/ip firewall nat 
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.25
add chain=dstnat in-interface=WAN1 protocol=udp dst-port=80 action=dst-nat to-address=192.168.1.25 
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=22610 action=dst-nat to-address=192.168.1.25
add chain=dstnat in-interface=WAN1 protocol=udp dst-port=22610 action=dst-nat to-address=192.168.1.25

thewireguys · August 15, 2010, 9:16pm

Thank you very much. Do I have to add a firewall rule to let the traffic pass?

fewi · August 15, 2010, 9:20pm

Depends. By default all traffic is permitted. If you put rules in place that drop traffic, you might have to open those ports pack up. If you didn’t you should be fine.

thewireguys · August 15, 2010, 9:27pm

When I un-check in the web interface it works:

Protect router:
Protect LAN:

If I leave these un-checked is my network at risk? If so what firewall rules would I have to implement for the port forwarding to work?

fewi · August 15, 2010, 9:48pm

Leave them checked and add the following rules:

/ip firewall filter
add chain=forward in-interface=WAN1 protocol=tcp dst-port=80,22610 dst-address=192.168.1.25
add chain=forward in-interface=WAN1 protocol=udp dst-port=80,22610 dst-address=192.168.1.25

The wiki manual also has user generated content with many examples for firewall rules.

thewireguys · August 15, 2010, 10:03pm

Thanks again. I had to move them to the top of the list for them to work. Is that correct?

How do I log the IP addresses that access this server with the routerboard?

SurferTim · August 15, 2010, 10:22pm

I use Apache in my internal servers, and I use the logs in them. Is there a reason you don’t want to use those? They are more detailed than you could expect in the router.

ADD: Bear in mind only the destination ip is translated on inbound packets. The source address is unaltered, and they will show in your server logs.

thewireguys · August 31, 2010, 5:03am

delete